Over the last week, I’ve observed an uptick in fraudulent advertisements on Instagram, the popular social networking app, promoting masks, hand sanitizer and other essential goods low in supply and high in demand. These opportunists are not only capitalizing on the public’s fears around COVID-19 by offering masks and disinfectant products at inflated prices, they are also capitalizing on their goodwill by claiming to donate masks to hospitals in need with every purchase.

Whether or not these products are legitimately delivered to the buyers is uncertain. But, by exploiting demand and selling these products at a steep markup, the opportunists not only stand to make a tidy profit from their efforts, they’re also potentially depriving medical professionals and others on the frontlines from accessing these much-needed supplies. For example, New York’s governor recently revealed that face masks which normally sell for 58 cents each are being offered to the state for $7.50.

Facebook policy banning certain COVID-19 related advertisements

On March 6, Facebook announced it would temporarily ban ads and listings on its marketplace selling medical face masks. The policy change was confirmed by Rob Leathern, head of trust and integrity for Facebook ads and business platform, and Adam Mosseri, head of Instagram.

Update: We’re banning ads and commerce listings selling medical face masks. We’re monitoring COVID19 closely and will make necessary updates to our policies if we see people trying to exploit this public health emergency. We’ll start rolling out this change in the days ahead.

On March 19, Leathern announced that ads for other goods including hand sanitizers, disinfecting wipes and test kits are also banned.

In addition to masks, we're now also banning hand sanitizer, surface disinfecting wipes and COVID-19 test kits in ads and commerce listings. This is another step to help protect against inflated prices and predatory behavior we’re seeing (1/2)

However, despite the ban, advertisements continue to appear on Facebook and Instagram, some as recently as March 26.

Advertisements in the Instagram Feed and Instagram Stories

I began observing an uptick in activity in my Instagram Feed on Friday, March 20. All of a sudden, every single sponsored post in my Instagram Feed had something to do with masks, whether it be N95 masks, surgical masks or face shields.

Many of the advertisements don’t overtly reference COVID-19 or the novel coronavirus that causes it in their posts. They do, however, talk about protecting oneself from “harmful particles” and how to “stay protected at all times” while referencing N95 masks or harmful viruses and bacteria, implying a connection to COVID-19.

The advertisements weren’t just showing up in my Instagram Feed. I saw many advertisements in my Instagram Stories as well.

I’ve noticed some interesting trends in relation to the advertisements as well as their origins.

Instagram native vs. Facebook advertisers

One common misconception is that an advertiser needs to have an Instagram account to create sponsored posts on Instagram. This isn’t the case. Facebook advertisers can push advertisements to Instagram using Facebook Ads Manager.

I observed a variety of ads, both native to Instagram as well as from Facebook advertisers.

Below is an example of a native advertisement placed by a newly created Instagram page, duamaskcom.

Below is an example of an advertisement placed by a Facebook page named Plengoods.

Clicking the Plengoods name or avatar leads the user to a special page that identifies Plengoods as a Facebook advertiser with the statement, “This Facebook advertiser isn’t on Instagram.” It also provides the viewer with information about how many Facebook followers the page has, which was 48 at the time I conducted this research.

Instagram and Facebook Page created for COVID-19 ad placements

A variety of these accounts were recently created solely for the purpose of promoting COVID-19-related items like surgical masks and N95 masks.

Accounts weren’t only being created on Instagram. Some Facebook pages appear to be newly created as well, such as the GetN95Mask page below, which had 0 Facebook followers when its advertisement was posted to Instagram.

The opportunists have also created pages for made-up individuals, such as an author named Olivia Wright.

Some advertisements provide direct links to websites offering masks for sale, while others use the URL shortener Bitly to shorten the links to their websites. Unfortunately, detailed analytics on these shortened URLs are no longer available publicly, so I was not able to identify how many individuals had visited them.

Many of the images on these advertisements are similar, likely stock photographs or images from other websites selling these types of masks.

I discovered a pair of Instagram accounts using an identical video in their mask advertisement. The only difference is that in the case of the.blue.mango page, they added an overlay featuring the.blue.mango logo.

Compromised pages on Facebook and Instagram

In addition to creating new pages, opportunists have also compromised the accounts of existing pages and used them to promote these products.

The Facebook Page for a Greek restaurant in Zimbabwe was compromised and used to push an advertisement for surgical masks to Instagram. The page does not appear to have been maintained since 2008.

A page belonging to Asalud Colombia, a Columbian health association, appears to have been hacked as well, as it was used to push an advertisement for surgical masks. It is unclear if the Instagram account itself was hacked, or if it was linked to a compromised Facebook page.

The “Learn More” link in the advertisement does not direct users to the Colombian Health Association website (asaludpp.com), directing them instead to a product page on tuieshop.com.

An Instagram page for Youth Beauty Hair, youthbeautyboutique, appears to have been hacked and used to promote “FDA approved medical-grade masks” in an advertisement. Their page included the post as part of their feed.

The advertisement references a website, emergensupply.com, which was registered on March 9, 2020. Because the ad drives traffic to a newly developed website, instead of to the Youth Beauty Hair website, this leads me to believe their Instagram account was compromised and the opportunists are driving users to a different website.

A Twitter user named “suhopremacist_” tweeted a screenshot of an advertisement from smglobalshop, the official merchandise shop for SM Entertainment, South Korea's largest entertainment company. The page boasts over 235,000 followers.

After further digging, I found that a listing was created on the SM Global Shop website for KN95 masks. However, this page was removed from the website. It is unclear how SM Global Shop’s Instagram page was compromised to host the advertisement while also creating an actual product page on their website. The removal of the product page suggests that opportunists managed to breach their website as well.

Claims of mask donations to a hospital in need

I encountered an account called gridironagency. The page created an advertisement cautioning followers to practice social distancing. It went on to say that the agency was allegedly partnering with “GDMD” to donate masks to “New York Sloan Kettering Hospital.” The post claims that for every mask purchased from the GDMD website, they would donate two “surgical mask” [sic] to the hospital. A few red flags are present. The first is that they did not use the correct name for the facility. It’s actually the Memorial Sloan Kettering Cancer Center. The second is that their advertisement isn’t promoting surgical masks; it is promoting N95 masks instead.

Their page also features an image of a tweet of a BuzzFeed News article that mentions that Memorial Sloan Kettering Cancer Center in New York was running low on masks. Their website, gridironmd.com, was registered on March 16, 2020, making it highly suspect that this agency would actually be partnering and donating these masks. However, it is unclear if the page was hacked or if the page operators merely pivoted toward capitalizing on the interest in personal protective equipment (PPE).

Speaking of donations, another page called seektrendy has also been pushing an advertisement for masks on Instagram. Their page has historically been used to sell products like bunion correctors and more. They just recently started promoting masks. Their advertisement features a video with content taken from news clippings, referencing “coronavirus” and the growing fear of a “global pandemic.” The rest of the advertisement features details about how viruses spread and showcases how these masks protect people. The source of this video content is unclear.

Unlike gridironagency, seektrendy received comments from visitors who came across their advertisements on Instagram, asking them why they aren’t donating to hospitals that desperately need these masks. The administrator for the seektrendy page responded to these comments saying that they’ve “donated plenty of masks” while also calling out other organizations to donate other supplies like hand sanitizers, disinfectant sprays, wipes and toilet paper. A person identifying themselves as an ICU nurse made a similar comment, which was met by a response from seektrendy claiming they’ve donated “over 20 thousand mask (sic).” None of these claims made by seektrendy have been independently verified.

The comments on these posts point to one of the most frustrating aspects of these mask advertisements: If these sellers have masks, they should donate them to hospitals and other healthcare facilities that have a critical need for them, rather than selling them to individuals.

COVID-19-related advertisements from unexpected pages

Another noteworthy aspect of these advertisements is some originated from unexpected pages that aren’t specifically associated with medicine or PPE.

One such page, jennysbeautyspot, is not a new Instagram page, according to the Instagram API. Also, the domainjennysbeautyspot.com was registered in July 2019. The website claims to sell beauty-related goods. However, it appears to have also pivoted to selling carbon filter masks.

Visiting their website, there’s a product page for a premium carbon filter mask.

Another page I discovered was for hikari.company, which bills itself as a company offering “simple and elegant jewelry,” according to their Instagram page. However, they are also advertisings masks on their website, including one called the DispoMask.

The company’s website has a section dedicated to masks, where visitors can purchase masks and hand sanitizers.

Advertisements from legitimate ecommerce platform

Interestingly, I was also served advertisements for surgical masks from Wish, a popular ecommerce platform that “facilitates transactions between sellers and buyers.”

At first, I wasn’t sure if these were fraudulent pages claiming to be Wish. However, I was able to verify the advertisements originated from Wish because the Facebook advertising information showed they had nearly 40 million Facebook followers, and the “Shop Now” link directs users to install the Wish application from the App Store.

Opportunists aren’t just peddling masks

While N95 and surgical masks are some of the most visible parts of COVID-19 coverage due to their limited or lack of availability, the opportunists are also targeting other goods that are low in supply and high in demand.

High-demand goods: Hand sanitizer, toilet paper and gloves

It’s no surprise that opportunists have also been pushing advertisements for hand sanitizer, given the high demand for it.

Next to hand sanitizer, toilet paper has become another high-demand item. I encountered multiple advertisements promoting popular toilet paper brands from Facebook advertisers publishing ads to Instagram.

Gloves are another high-demand good that is low in supply, with ads capitalizing on fear about coming into contact with coronavirus via touching surfaces with bare hands.

Obscure items

Beyond the high-demand items, I also encountered multiple obscure items being promoted that are related to COVID-19.

One ad promoted an item called Virus Shut Out, a “VIRUS disinfection card” that supposedly blocks viruses in the air surrounding the wearer. The product page also claims it was tested by Hokkaido Medical Care Center and is 99.8% effective.

The U.S. Environmental Protection Agency (EPA) recently published a news release about this product, cautioning that it had blocked shipments of Virus Shut Out from entering Honolulu and Guam. The EPA has not registered the product, so its “safety and efficacy against viruses have not been evaluated.” The EPA also warns that it will “not tolerate companies selling illegal disinfectants and making false or misleading public health claims during this pandemic crisis.”

I’ve also noticed several advertisements on Instagram touting the use of ultraviolet (UV) light as a form of sanitization against COVID-19.

The World Health Organization (WHO) has answered the question of “Can an ultraviolet disinfection lamp kill the new coronavirus?” on its COVID-19 myth busters page. WHO cautions against using UV “lamps” to sterilize “hands or other areas of skin” due to the potential skin irritation that can occur. However, WHO does not specifically comment on the effectiveness of using UV light against COVID-19.

Shopify platform used to facilitate opportunism

Throughout this investigation, I saw two separate methods by which masks and other goods are being sold. Most of the websites I encountered used Shopify, the popular ecommerce platform. Opportunists created brand-new websites to promote masks because of the scarcity.

In addition, it appears that opportunists have compromised other websites on Shopify and used them to host pages related to products like masks, hand sanitizer and toilet paper.

SM Global Shop is the best example. It is built on Shopify and was promoting KN95 masks for a brief period of time. However, since the page is no longer accessible, it is likely SM Global Shop realized their Shopify account was compromised and removed the fraudulent product page.

Another example is Knife Love, a website touting jewelry, which serves up a product page with conflicting information.

Many of the websites offering COVID-19-related items like masks and hand sanitizers use what’s called dropshipping. In essence, individuals act as middlemen, setting up a website and placing ads for products they don’t actually possess. Instead, when an order is placed, they source the product from a third party, providing the shipping address for their customer, who then receives the product directly from the third party.

Many of these advertisers appear to use dropshipping to sell a variety of masks sourced from websites like AliExpress, an online retailing service owned by Alibaba Group.

Some of the masks shown earlier can be purchased for cheap from AliExpress. For example, the “Anti Dust” mask shows a price of $0.32 with a shipping charge of $0.82.

Earlier in this post, we looked at an ad for a mask from an unexpected Instagram page, jennysbeautyspot. The mask was being sold for $20 on the jennysbeautyspot Shopify page. By using dropshipping, the opportunist is making a profit of $18. The estimated delivery for the product is between 30 to 50 days, so some users may actually receive the product weeks after they purchased it. However, there may be some instances where they never actually receive the product at all.

Reporting mask, hand sanitizer and essential good ads to Instagram

Instagram allows users to report these advertisements from within the ads themselves. Click the three dots on the bottom (Instagram Stories) or top (Instagram Feed) of the advertisement. Click “Report Ad” and then select “It’s a scam or it’s misleading.”

Report an ad in Instagram Stories

Report an ad in Instagram Feed

COVID-19 and the growing landscape of threats, misinformation and opportunism

Over the last few months, COVID-19 has been top of mind for most of the world, enabling opportunistic individuals to capitalize on fears and uncertainties. Whether it’s cybercriminals, scammers or those seeking to make a profit from the scarcity of essential goods, COVID-19 has proven to be a successful tool and it will continue to serve as one until the end of the pandemic. That’s why it is important for individuals to seek out information from credible sources, be wary of unsubstantiated cures, refrain from buying masks and purchase essential products from verified sellers or retailers. What we’ve seen so far from these opportunists is just the tip of the iceberg. Unfortunately, I anticipate many more campaigns to come.

Thank You

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Thank You

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Thank You

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank You

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.Reduce the Risk You Don’t.

Thank You

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.